We have a security firewall that authenticates with cookies, however it seems that the current implementation of SSE sends an auth token as a query param, and it does not use withCredentials to send cookies.

Is there anyway to support cookies to be sent and/or use an alternate server URL for that particular endpoint?

SSE only sends the oauth token as a query parameter in the local testing environment, when running the local npm serve. This is required because it is running outside of the Drone server environment. If you login to cloud.drone.io (for example) and inspect the underlying network request to /api/streams you will see the _session_ cookie is included in the request.